Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using two different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the first spamvertised template:

Sample screenshot of the second spamvertised template:

Sample spamvertised compromised URLS used in the campaign:hxxp://franctelnetwork.com/components/com_ag_google_analytics2/citialertservice.htmlhxxp://ghostdeal.com/components/com_ag_google_analytics2/citialertservice.htmlhxxp://thesmsway.com/components/com_ag_google_analytics2/citialertservice.htmlhxxp://911pcs.com/components/com_ag_google_analytics2/alert-service-citibank.htmlhxxp://rjewelryd.com/components/com_ag_google_analytics2/alert-service-citibank.htmlhxxp://softwarehit.com/components/com_ag_google_analytics2/alert-service-citi-sign_in.htmlhxxp://ceipfernandogavilan.com/components/com_ag_google_analytics2/alert-service-citi-sign_in.htmlhxxp://troubleshootersacademy.com/components/com_ag_google_analytics2/citialert-sign_in.html

It creates the following Registry Keys:HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B

With the following value:[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]KB00121600.exe = “”%AppData%KB00121600.exe””

It then creates the following Mutexes:LocalXMM000003F8LocalXMI000003F8LocalXMRFB119394LocalXMM000005E4LocalXMI000005E4LocalXMM0000009CLocalXMI0000009CLocalXMM000000C8LocalXMI000000C8

It also drops the following MD5s:MD5: 9e7577dc5d0d95e2511f65734249eba9MD5: 61bb88526ff6275f1c820aac4cd0dbe9MD5: b360fec7652688dc9215fd366530d40cMD5: f6ee1fcaf7b87d23f09748cbcf5b3af5MD5: d7a950fefd60dbaa01df2d85fefb3862MD5: ed662e73f697c92cd99b3431d5d72091

It then phones back to 209.51.221.247/AJtw/UCyqrDAA/Ud+asDAA.

We’ve already seen the same command and control server used in the following previously profiled malicious campaigns:

The same email (solaradvent@yahoo.com) that was used to register the name server domains in this campaign, is also known to have registered the following domains:AFRICANBEAT.NETALEGRECAMPO.NETGAUGE-MASTER.NETTOMOLLALLAMAFARM.NET

Responding to 59.57.247.185 are also the following malicious domains:eaglepointecondo.orgsessionid0147239047829578349578239077.plpleansantwille.comibertomoralles.comeaglepointecondo.coeaglepointecondo.bizansncm.orgcanbmn.orghfeitu.netlabpr.comnamelesscorn.netplatinumbristol.netporkystory.netrobertokarlosskiy.suromoviebabenki.ruseldomname.comwinterskyserf.ru